The New York Department of Financial Services has issued proposed “first-in-the-nation” cybersecurity rules that could place a heavy compliance burden on affected financial companies; Morgan Lewis submitted a comment letter urging that several of the proposals be modified.
On September 13, the New York State Department of Financial Services (NYDFS) issued proposed cybersecurity rules that would require banks, insurers, and other NYDFS-regulated financial services companies to adhere to stringent cybersecurity requirements mandating firms to, among other things, test their systems, establish plans to respond to cybersecurity events, and annually certify compliance with the cybersecurity requirements, among other mandates (Proposed Rules). The NYDFS described the Proposed Rules as “a new first-in-the-nation regulation.”
Comments on the proposed rule were due by November 14. Morgan Lewis submitted a comment letter as summarized below.
The Proposed Rules would apply to all firms subject to NYDFS oversight (Covered Entities), irrespective of whether such Covered Entities already adhere to other cybersecurity regulations imposed at the federal or state level. Although the Proposed Rules provide a limited exemption for “small” Covered Entities, in our view, the exemption does not provide meaningful relief because it is too narrow and imposes many of the same substantive requirements on small Covered Entities that are ostensibly “exempt” as it does on other Covered Entities.
We previously wrote about the Proposed Rules (see our September 2016 LawFlash, “NYDFS: ‘First-in-the-Nation’ Cybersecurity Proposal”) and noted that the Proposed Rules would, among other things, require Covered Entities to do the following:
Having assisted clients in all phases of their cybersecurity needs and issues—including on cybersecurity risk assessments and prevention measures, responding to cybersecurity incidents, and developing cybersecurity policies and programs—and because a large number of our clients fall within the scope of the Proposed Rules, we have submitted a comment letter to the NYDFS.
In our comment letter, we urged the NYDFS to reconsider several of its proposals. Our recommendations are summarized below:
The Proposed Rules, unless modified, will become effective on January 1, 2017, with a 180-day grace period for compliance. Thus, Covered Entities would be required to have a cybersecurity program in place and be in compliance with other requirements by June 30, 2017 (Compliance Date). To the extent that the NYDFS retains an annual compliance certification requirement, Covered Entities would begin filing the annual compliance certification on January 15, 2018.
Covered Entities should monitor NYDFS announcements for the final rules and ensure that they are ready for the Compliance Date, which means that Covered Entities should start taking steps necessary to comply with the fundamental requirements that the NYDFS likely will adopt in some fashion.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Mark L. Krotoski
Merri Jo Gillette
 See Press Release; Governor Cuomo Announces Proposal of First-in-the-Nation Cybersecurity Regulation to Protect Consumers and Financial Institutions (Sept. 13, 2016); see also New York State Department of Financial Services Proposed 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies.
 The Proposed Rules define “Information System” as “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.” See Proposed Rule 500.01(e).
 See Proposed Rules 500.01(d); 500.02.
 Proposed Rule 500.03(a) mandates that cybersecurity policies address (1) information security; (2) data governance and classification; (3) access controls and identity management; (4) business continuity and disaster recovery planning and resources; (5) capacity and performance planning; (6) systems operations and availability concerns; (7) systems and network security; (8) systems and network monitoring; (9) systems and application development and quality assurance; (10) physical security and environmental controls; (11) customer data privacy; (12) vendor and third-party service provider management; (13) risk assessment; and (14) incident response.
 See Proposed Rule 500.04.
 See Proposed Rules 500.05-10, 15-16.
 See Proposed Rule 500.11.
 See Proposed Rule 500.17(a).
 See Proposed Rule 500.17(b).